Computer networks are often configured to incorporate network security systems in order to detect anomalous activity or otherwise protect the networks against malicious activity, such as deployment of malware or propagation of viruses by attackers. In general, network security systems are typically implemented as rule-based systems or statistical-based systems, or a combination of both. A rule-based network security system typically relies on extensive sets of signatures or other security rules in order to detect malicious activity in network traffic. These rules in many cases are generated by domain experts and manually added into the system. Individual rules can be highly specific to detection of particular malicious activity scenarios, while other rules include behavioral rules that are configured to detect anomalous or suspicious activities, such as an unusual amount of extracted data.
On the other hand, statistical-based network security systems utilize statistical algorithms to learn network traffic patterns and activity for a given network and establish a baseline of “normal” network activity for the given network. A statistical-based network security system will monitor network traffic and activity to collect information that is processed against the established baseline to detect anomalous network activity. The efficacy and usefulness of a statistical-based network security system is based primarily on the ability of the system to learn normal patterns of network traffic and activity for a given network, which is not a trivial matter as most networks are extremely dynamic and diverse with regard to protocols, configurations, services provided, and usage times, etc.